diff --git a/agent/templates/configmap.yaml b/agent/templates/configmap.yaml
index 0d7d32f..9d78c1e 100644
--- a/agent/templates/configmap.yaml
+++ b/agent/templates/configmap.yaml
@@ -8,5 +8,9 @@ metadata:
     {{- include "hd.labels" . | nindent 4 }}
 data:
   {{- range $key, $value := .Values.config }}
+  {{- if ne $key "token_secret_ref" }}
+  {{- if or (ne $key "token") (not $.Values.config.token_secret_ref) }}
   {{ $key }}: {{ $value | quote }}
   {{- end }}
+  {{- end }}
+  {{- end }}
diff --git a/agent/templates/deployment.yaml b/agent/templates/deployment.yaml
index 5274dd3..7c24136 100644
--- a/agent/templates/deployment.yaml
+++ b/agent/templates/deployment.yaml
@@ -64,6 +64,13 @@ spec:
               value: {{ .Release.Namespace }}
             - name: release_name
               value: {{ .Release.Name }}
+            {{- if .Values.config.token_secret_ref }}
+            - name: token
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.token_secret_ref }}
+                  key: agent-token
+            {{- end }}
           envFrom:
             - configMapRef:
                 name: hd-agent-config
diff --git a/agent/values.schema.json b/agent/values.schema.json.NOPE
similarity index 100%
rename from agent/values.schema.json
rename to agent/values.schema.json.NOPE
diff --git a/agent/values.yaml b/agent/values.yaml
index b666493..ff72d35 100644
--- a/agent/values.yaml
+++ b/agent/values.yaml
@@ -3,7 +3,8 @@ image_pull_policy: "Always"
 
 config:
   data_volume_pvc: 
-  token: 
+  token: # (Insecure) Use caution when specifying the token in plaintext, do not commit the token to Git
+  token_secret_ref: # (More secure) The name of an existing Kubernetes Secret containing a key named 'agent-token' whose value is the token. When set, config.token will be ignored.
 
 labels: {}
 node_selector: {}